Sick of botnets? This might help… (Not a support request.)

So, plenty of us have gotten hammered by botnets recently. Using fail2ban and this plugin does help, but a lot of us still have a problem. I’m getting hit by thousands of different IPs a day and they are only reusing the IPs once or twice. The login requests themselves are relatively resource intensive and, when enough come all at once, they can bring a small server to its knees pretty quickly.

There are some suggestions out there for using mod_rewrite and checking referrer and/or IP address but they all have their drawbacks. (Just try getting it right with multi-siting, multiple users, and a CDN or two.)

It’s admittedly just a hack. And it’s based on the fact that somewhere north of 99.9% of the attacks I’ve seen are aimed at the “admin” user and another .09% are aimed at users like ‘adminadmin’, ‘Administrator’, and ‘adm’. (Of course, I don’t have any valid admin users with obvious usernames like that, so this works for me.)

Maybe I should send back a 403 or something, but immediately dying works fine as these aren’t real users anyway.

The reason I modified wp-fail2ban.php rather than just add this as a separate plugin is because I still want to log the failures–I blacklist these IPs–and it seemed reasonable to do it all in one place.

I also have created a second .conf just for admin attacks, this way I can set an immediate ban on first attempt and ban the IP for a week, whilst the rest multiple attempts and a more reasonable ban time.

I’m glad this has picked up some interest. It has been a stellar solution for me.

Invisnet – I haven’t checked out your update yet. I’ll do that.

llocally – I’ve got a custom wordpress-admin.conf too, but I think I’m a little more draconian than you. 🙂 Firstly, I look for any failure from adm.*. Secondly, I don’t limit my blocks to certain ports; I just start dropping packets from the that IP. Thirdly, I block them semi-permanently. When my blacklist gets very long I do clear out old entries, but on average a blocked IP will sit on there for months.

I keep several different block lists and use IP sets to maintain them, so I have custom actions for that.

As to sleep()ing on failed attempts, the problem with that is you are just tying up your server process. While it is sleeping, it can neither answer legitimate requests nor boot more bots. That makes it very easy to DoS you.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Sick of botnets? This might help… (Not a support request.)’ is closed to new replies.